Welcome to CodeRanch!
You should store the time the user last logged in in their session. You can calculate the amount of time they've been logged in by subtracting the current time from the login time.
When the remaining time is zero and the user GET requests a page that requires authentication, you forward them to a page notifying them their session has timed out and that they need to log in again. Don't do this for requests other than GET, because a user might want to save changes they've made before the time ran out.
You can also introduce a live timer in JavaScript on the web page that counts down from the remaining time to zero, but you shouldn't let it automatically redirect when it reaches zero, because once again, the user might lose information they've typed into forms etc.